Simple Log Service uses Key Management Service (KMS) to encrypt data at rest for secure storage. It also supports encrypted transmission over HTTPS using SSL/TLS to protect data from security risks in the cloud.
Server-side encryption
Simple Log Service supports the following two encryption mechanisms:
Encryption using service keys provided by Simple Log Service
Simple Log Service generates a unique data encryption key for each Logstore to encrypt data. This key never expires.
The supported data encryption algorithms are the AES algorithm (default) and the SM4 encryption algorithm.
Encryption using Bring Your Own Key (BYOK)
You can create a customer master key (CMK) in the KMS console and grant the necessary permissions to Simple Log Service. When Simple Log Service calls the KMS API, it uses this CMK to create keys for data encryption. If you delete or disable the CMK, the BYOK key becomes invalid.
Important
If the CMK generated by KMS BYOK becomes invalid, all read and write requests to the Logstore fail.
For more information, see Data encryption.
Encrypted transmission over HTTPS
Simple Log Service supports access over HTTP or HTTPS. Secure Sockets Layer (SSL)/Transport Layer Security (TLS) provides confidentiality and data integrity for data transmitted between applications.
Encrypted transmission using Logtail
Logtail is an agent that Simple Log Service uses to collect logs. To protect data from tampering during transmission, Logtail uses an HTTPS channel to obtain a private token from the server and signs all log data packets.
Encrypted transmission using SDKs
Simple Log Service offers SDKs in various programming languages, such as Java, Python, .NET, PHP, and C. You can use these SDKs to read data from and write data to Simple Log Service over HTTPS.
Encrypted transmission for data shipped to OSS
Shipping data to OSS involves two processes. The first process is reading data from SLS storage to the SLS shipping service. This process occurs within the SLS cluster to prevent data tampering. The second process is transmitting data between SLS and OSS. This transmission uses an HTTPS channel to obtain a private token from the server, and all sent log data packets are signed to ensure security.